Stopping an attack once it begun, and is spreading very quickly, may not be that easy, especially when some upper managers don't like some systems being brought down to protect them, and they handle and monitor a lot of activities worldwide, and IT doesn't have a clear understanding of what's happening and fears disruptions. Mersk is not Facebook - if the latter halts nothing really happens, but when one of the biggest goods movers is unable to move them, ships can't load or unload, cargo can't be sorted, is a far different issue.

Probably in their situation they really had not the right policies to assess the situation, and stop it quickly enough and activate a contingency plan. Hope they learnt.

And hope it taught many other companies, that even if IT is not their core business, it's at the core of their business anyway.

Easy to mitigate

-Patch your o/s monthly

-Regularly patch your Apps that open files (word/pdf etc) regularly

-Don't run an o/s or app that is no longer in patching support

- Don't let Apps connect to the internet to pull down their own updates in an Enterprise environment - test updates in a sandbox first then use your software deployment tools to push out tested updates

-Run anti-virus & update hourly and AV scan on demand all files

-Scan incoming email using AV and block .exe attachments

-Scan and block sites when web browsing using a web proxy and AV scanner

-Set web browsers to block adverts and flash

-Use a localhosts file to sinkhole malware and advert sites to 127.0.0.1

Re: Easy to mitigate

Re: Easy to mitigate

One thing I can guarantee - if you think stopping all malware is "Easy to mitigate" then you either don't have much experience in a large company or you have your head buried in the sand. People who do things right definitely do not find it easy and will have a dedicated Security team or at least a dedicated security officer who have a full time job just managing the security of the enterprise.

If it was easy then they would be out of a job.

Anyone who has to do the security bit on the side to their main sysadmin job or it manager job will probably tell you that they fully understand the issue and it is a constant battleground and a lot of it involves crossing their fingers, or they are clueless.

Much of it the same for disaster recovery or general business continuity not easy at all, even if on paper you can convince yourself it is easy anything other than an SME or smaller will probably be hoping nothing major happens rather than being truly convinced that they can cope with any eventuality.

If I was to employ someone in IT security I would be looking for someone who says" it is difficult but I can ensure that xyz issues are covered and this is my strategy for emerging threats .. etc" rather than someone who says "it's easy, I can ensure you never have an issue" because I would know they don't have a clue.

Re: Easy to mitigate

"not the swiss cheese Ukranian one they did"

Probably their Ukrainian subsidiaries and other connected businesses didn't have much choice. Some accounting and tax reports are often very country-specific - because of the usual, complex local regulations.

Use a localhosts file to sinkhole

What's the web proxy for? You can route anyway all web traffic through the proxy, even for those users who try to bypass it (although in my experience often those are the sysadmins themselves). In some environments, the proxy shouldn't backlist, it should whitelist and block everything else.

Re: Easy to mitigate

You MUST USE the local government supplied software, don't use it , you are out of business.

The fact that it is supplied from fixed ip addresses over Http connections & auto installs & updates , has nothing to do with it.

Boy..... is a reckoning coming to China , once the malware writers start doing research into local government offices and their pisspoor requirements of "nepotism software" they force on local businesses.

He says he learned was told by the people who had f-cked up that there was nothing that could have been done to stop the attack with the kind of funding the IT dept. had. The three IT guys were very vocal about it!